Kerberos 5 admin in the CITI cell
kaserver to MIT K5 conversionWe used the AFS to K5 migration kit from Ken Hornstein of the Naval Research Laboratory. This kit provides auxillary programs to the MIT K5 distribution that allow transparent migration from using an AFS kaserver for authentication to using an MIT K5 KDC for authentication. See this picture for a flow of how things work. The fakeka, ka-forwarder, and aklog programs are provided in the migration kit. In addition to the picture, there is a kadmind4 server provided with the MIT code that allows a user to change their password using a Kerberos 4 version of the kpasswd program. Note: that the AFS kpasswd program can no longer be used to change CITI cell passwords.
Binary locationsThe binaries currently in use on babble.citi.umich.edu (aka kerberos.citi.umich.edu) are located in /krb5/. The 'system' binaries are in the sbin directory and the user binaries are in bin. The source for this code is currently in /afs/umich.edu/group/itd/ifs/sandbox/kwc/krb5-1.0.5/src. There are several builds for different platforms in sister directories. The binaries running on babble were compiled on citi.umich.edu using the make and gcc programs located in /afs/umich.edu/group/itd/software/bin/.
Configuration files, etc./etc/krb5.conf is the general use K5 configuration file. It defines the default realm for a machine and server locations for all known realms. It also defines log file information for the kdc and admin server (kadmind). Here is an example of a krb5.conf file for the CITI cell. The configuration file for the KDC (and other programs) has a default location of /usr/local/var/krb5kdc/kdc.conf. /usr/local/var/krb5kdc/ is also the default location for the actual database files and various other related files.
Changes are also required in /etc/services to locate kerberos services. Here are the changes required in /etc/services for a client machine.
Adding new usersThe kas create command is no longer used to create new principals in the cell. Instead, the kadmin command is used. To create a new user:
/krb5/sbin/kadmin -p admin/admin
< you'll be prompted for the password of admin/admin>
kadmin: addprinc exampleid
< you'll be prompted for the user's initial password twice>
Deleting userskadmin: delprinc exampleid
<you'll be asked to verify the deletion>
Managing usersTo change the ticket lifetime for an individual user:
kadmin: modprince -maxlife "2 hours" exampleid
(This changes the default TGT lifetime to 2 hours for this user.)
To change a user's password:
To list the attributes of a principal:
To list policy information:
Creating keytabs (K4 had srvtabs, K5 has keytabs)To create a K5 keytab file, use the kadmin ktadd subcommand. This can be invoked so that a new keytab file is created and a new random password for the principal is generated. The K5 keytab can then be converted into a K4 srvtab format for use by K4 application servers with the ktutil program.
The syntax of the ktadd subcommand is:
NOTE: The principal name formats have changed between K4 and K5. In K4, the principal and instance were separated by a period. In K5, the principal and instance are separated with a slash. So a principal name of www and instance name of buffalo in K4 would be www.buffalo@CITI.UMICH.EDU. The same principal in K5 is www/buffalo@CITI.UMICH.EDU.
To create a K5 keytab file:
To convert the keytab into a K4 srvtab format:
The first subcommand (rkt) reads the existing keytab file. The list subcommand prints the contents read from the keytab file. The wst subcommand writes the current contents to the file specified in srvtab format.